Closed Bug 400744 Opened 17 years ago Closed 17 years ago

Pure virtual function call and crash invoking context menu

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
2.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: john_mcdonnell, Assigned: smaug)

References

(
URL
)

Details

(4 keywords)

Attachments

(1 file, 2 obsolete files)

Screenshot of crash taken from Windows XP SP2 machine (no Talkback)
7.88 KB, image/png
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8

When I click the right mouse button to invoke the context menu on certain web pages, Firefox 2.0.0.8 crashes with a "Pure virtual function call" error. This problem does NOT happen with Firefox 2.0.0.7. 

Reproducible: Always

Steps to Reproduce:
Using Firefox 2.0.0.8 (not 2.0.0.7) on either Windows XP SP2 or Windows 2003 SP1 (both fully patched):
1. Go to http://www.bindows.net/demos/
2. Click the "Bindows Quick Demo" link (a popup will launch)
3. Click the "Grids and Trees" tab
4. Right click twice (sometimes three times) inside the table.
-> Get the "pure virtual function call" error.
Actual Results:  
Pure virtual function call error.

Expected Results:  
A browser-drawn (DHTML) menu appears.

Talkback info was submitted and is attached. Also is attached is an attempt at getting a stack trace using WinDbg on Windows 2003.
Attached file Copy and paste from Talkback (obsolete) — 
This is what Talkback reported.
This is what WinDbg output reported when run on a retail (sorry, not a debug version) Windows 2003 machine. I also tried a Windows XP machine, but was could not get WinDbg to give me a stack trace; instead, the "Pure virtual function call" dialog appeared instead. On the Windows 2003 box, the "Pure virtual function call" dialog did not appear.
Additional info for keyword searchers: R6025
Keywords: crash
Here's a screenshot from my WinXP SP2 machine. Talkback was not enabled. The text is:
-------------------
Runtime Error!
Program: c:\Program Files\Mozilla_Firefox_2_0_0\firefox.exe

R6025
 - pure virtual function call
----------
with an OK button.
Comment on attachment 285773 [details]
Copy and paste from Talkback

reporter: you can't get useful information from the talkback client. please see a wiki page for information on how to get your incident id.

In this case, I spent the time to retrieve your incident for you (and it took way too long, so I hope never to need to do it again):
Incident ID: 37241314
Stack Signature	Detecting 2fc684bf
Product ID	Firefox2
Build ID	2007100816
Trigger Time	2007-10-22 13:32:11.0
Platform	Win32
Operating System	Windows NT 5.2 build 3790
Module	js3250.dll + (0003224c)
URL visited	http://www.bindows.net/demos/
User Comments	1) Click "Bindows Quick Demo" 2) Click "Grids and Tree" 3) Right click two or three times.
Since Last Crash	24 sec
Total Uptime	24 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8-Release/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3122
Stack Trace 	
Detecting  [mozilla/js/src/jsobj.c, line 3122]
js_LookupProperty  [mozilla/js/src/jsobj.c, line 3165]
js_GetProperty  [mozilla/js/src/jsobj.c, line 3543]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject  [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 243]
nsXPCWrappedJSClass::DelegatedQueryInterface  [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 633]
nsXPCWrappedJS::QueryInterface  [mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 106]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1752]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2232]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleChromeEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2897]
nsGlobalWindow::HandleDOMEvent  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 1761]
nsDocument::HandleDOMEvent  [mozilla/content/base/src/nsDocument.cpp, line 4099]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2269]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsEventStateManager::DispatchMouseEvent  [mozilla/content/events/src/nsEventStateManager.cpp, line 2797]
nsEventStateManager::NotifyMouseOver  [mozilla/content/events/src/nsEventStateManager.cpp, line 2922]
nsEventStateManager::GenerateMouseEnterExit  [mozilla/content/events/src/nsEventStateManager.cpp, line 2954]
nsEventStateManager::PreHandleEvent  [mozilla/content/events/src/nsEventStateManager.cpp, line 567]
PresShell::HandleEventInternal  [mozilla/layout/base/nsPresShell.cpp, line 6468]
PresShell::HandleEvent  [mozilla/layout/base/nsPresShell.cpp, line 6310]
nsViewManager::HandleEvent  [mozilla/view/src/nsViewManager.cpp, line 2566]
nsViewManager::DispatchEvent  [mozilla/view/src/nsViewManager.cpp, line 2253]
HandleEvent  [mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 1319]
nsWindow::DispatchMouseEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 6329]
ChildWindow::DispatchMouseEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 6576]
nsWindow::WindowProc  [mozilla/widget/src/windows/nsWindow.cpp, line 1507]
USER32.dll + 0x1b6e3 (0x7739b6e3)
USER32.dll + 0x1b874 (0x7739b874)
USER32.dll + 0x1ba92 (0x7739ba92)
USER32.dll + 0x1bad0 (0x7739bad0)
nsAppShell::Run  [mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main  [mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x2f23b (0x77e6f23b)

However, detecting shouldn't be a Pure Virtual crash
Attachment #285773 - Attachment is obsolete: true
Comment on attachment 285774 [details]
WinDbg output / stack trace from Windows 2003

In order o use windbg w/ firefox, you need to have symbols, see: http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg

I think this is one of a dozen pages that migh explain how to get a talkback incident id (again, you don't need it for the incident you've already reported as I retrieved it in comment 5):
http://kb.mozillazine.org/Talkback
Attachment #285774 - Attachment is obsolete: true
This is worksforme, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8

John, if you can reproduce this consistently, you could try out older branch builds (directories ending with mozilla-1.8) to see in which of the builds it started crashing: 
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/
Flags: blocking1.8.1.10?
WFM, Firefox 2.0.0.8 on Windows XP, Vista and Linux.

John, can you reproduce the crash in Firefox Safe Mode?
(it temporarily disables add-ons and themes, this test will help us narrow
down the cause of the problem) --  See http://kb.mozillazine.org/Safe_Mode

Good news, bad news.

The good news is that I can reproduce the crash in safe mode, with or without a debugger. I can reproduce it in the build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-10-05-03-mozilla1.8/firefox-2.0.0.8pre.en-US.win32.zip but not in the build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-10-03-03-mozilla1.8/firefox-2.0.0.8pre.en-US.win32.zip . So it looks like the problematic checkin happened between 10-03 and 10-05 (thanks, Martin).

The bad news is that I can no longer reproduce the problem with the original URL http://www.bindows.net/demos/ and repro steps. I can still reproduce the problem, though, but the web site that I'm using is only on my company's intranet. (A little background here: the intranet site was written using the Bindows JavaScript toolkit from the URL above). The Bindows site may have been patched to work around the problem.

Another piece of bad news is that I cannot get a stack trace by following the instructions at http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg . I tried WinDbg and MS VC++ 2005 Express  I get errors such as:

'firefox.exe': Loaded 'C:\ff-test\2007-10-07-03-firefox-2.0.0.8pre.en-US.win32\firefox\firefox.exe', No symbols loaded.
...snip MS binaries....
'firefox.exe': Loaded 'C:\ff-test\2007-10-07-03-firefox-2.0.0.8pre.en-US.win32\firefox\js3250.dll', No symbols loaded.
...etc....

for all of the Firefox binaries. I'm new to using a debugger, but it looks like the symbols aren't getting downloaded.
 
John, thanks for finding out the regression range.
This is a bonsai links that contains all the check-ins to the 1.8 branch:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-10-03+03&maxdate=2007-10-05+04&cvsroot=%2Fcvsroot
Maybe somehow a regression from bug 384105?

Unfortunate that it doesn't work anymore on the bindows demo site. An example/testcase that reproducible crashes would be very helpful. 
Maybe the symbol server have symbols for 2.0.0.8?
http://developer.mozilla.org/en/docs/Using_the_Mozilla_symbol_server
Component: OS Integration → General
QA Contact: os.integration → general
Looks like a branch regression...
Keywords: regression
Version: unspecified → 2.0 Branch
Flags: blocking1.8.1.9?
Mats, I *had* read that page on using the symbol server. I still don't get symbols downloaded to my machine. See http://developer.mozilla.org/en/docs/Talk:Using_the_Mozilla_symbol_server for gory details.

All - sorry, I still don't have a site where it can be demoed.
Blocks: 384105
The referred site, http://www.bindows.net/demos/ does no longer reproduce the problem. Since this is our public demos, we worked around the issue temporarily by adding a short break (timer) in the rendering of a context meny.

In isolated testcase posted by Marcus Better in #400976 reproduces the issue

Some additional observations: 
In some cases, the browser indeed crashes, in others such as using a slower computer or running the Linux version of 2.0.0.8, the context menu disappears just after showing.
Depends on: 400976
Are there any ways to reproduce this?
The patch in bug 400976 may or may not help with this.
(In reply to comment #15)
> Are there any ways to reproduce this?

I've put an unpatched version of the demo referred to above at

  http://www.better.se/bindows/test/

for the time being.

Ooh, thanks! I reproduced it right away. Now I can check to see if the patch in 400976 really does fix it, or if it's a separate problem.

In a debug build I crashed in js_LookupPropertyWithFlags, below that it was the same as comment 5. Looks like an uninitialized variable (0xcccccccc in a debug build).
Status: UNCONFIRMED → NEW
Ever confirmed: true
i can confirm this crash. 

Does not crash on Firefox 2.0.0.6/2.0.0.7 and does crash on Firefox 2.0.0.8 with the steps to reproduce 
The patch in bug 400976 fixes the crash for me on the test version of bindows linked from comment 16

For a potential branch update I don't think we should mark this a duplicate of bug 400976, for testing purposes and clarity.
Assignee: nobody → Olli.Pettay
This bug is fixed by the checkin from Bug 400976 -> Fixed

verified fixed 1.8.1.9 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.9) Gecko/2007102514 Firefox/2.0.0.9 (Firefox 2.0.0.9 RC1) and the testurl from comment #16. I do not crash on the RC1 on this link anymore, so adding the verified keyword.
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: verified1.8.1.9
Resolution: --- → FIXED
Changed URL in bug to the test site from comment #16 (thanks, Marcus).
URL: http://www.bindows.net/demos/http://www.better.se/bindows/test/
Flags: in-testsuite?
This was also checked into the 1.8 branch --> fixed1.8.1.10
Keywords: fixed1.8.1.10
Flags: blocking1.8.1.9?
Flags: blocking1.8.1.9+
Flags: blocking1.8.1.11?
Flags: blocking1.8.1.10+
the test case from comment #16 is no longer available, so its not possible to verify this bug for 1.8.1.10 currently
(In reply to comment #23)
> the test case from comment #16 is no longer available, so its not possible
> to verify this bug for 1.8.1.10 currently

Sorry, I thought you were already done with this bug. The test case is back now. (Please tell me when I can remove it.)

(In reply to comment #24)
> (In reply to comment #23)
> > the test case from comment #16 is no longer available, so its not possible
> > to verify this bug for 1.8.1.10 currently
> 
> Sorry, I thought you were already done with this bug. The test case is back
> now. (Please tell me when I can remove it.)
> 

hi Marcus, many thanks for putting this online again. 

I can now verify this bug also fixed for 1.8.1.10 with Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.10) Gecko/2007111504 Firefox/2.0.0.10 - no crash on testcase and so the bug is completely done verified now. 

thanks for your help again.

- adding verified keyword
Keywords: fixed1.8.1.10verified1.8.1.10
We need to get a version of this test into our automated test suite, if possible.  We wouldn't want to regress this in a few days because of some other change...
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: